IoT devices and cloud-based services represent the next frontier for digital surveillance, claims a new report.

A report
today from Harvard University's Berkman Center for Internet and Society tosses
some cold water on the hotly contested debate over encryption vs. security,
asserting that even if pro-encryption privacy advocates prevail, there are
newly emerging avenues for intelligence agencies to conduct surreptitious
digital surveillance.

The report, “Don't Panic. Making Progress on the Going Dark Debate,” predicted that
in lieu of backdoors to encrypted messaging apps, law enforcement will increasingly
turn to less fortified vectors to conduct offensive online investigations,
including Internet of Things (IoT) devices, cloud-based services and apps whose
business models rely heavily on customer data collection.

Reflecting
the input of security experts across academia, civil society and the
intelligence community, the report suggests that IoT devices, particularly
those enhanced with networked sensors, cameras and microphones, could serve as
especially powerful surveillance tools.

“These are
prime mechanisms for surveillance: alternative vectors for
information-gathering that could more than fill many of the gaps left behind by
sources that have gone dark—so much so that they raise troubling questions
about how exposed to eavesdropping the general public is poised to become,” the
report cautions. For instance, smart TV manufacturers could potentially be
ordered to let federal investigators eavesdrop on their customers'
conversations via mechanisms that normally enable voice-based commands.

The report
also notes that in some cases, “Market forces and commercial interests will
likely limit the circumstances in which companies will offer encryption that
obscures user data from the companies themselves.” For example, online service
providers whose advertising models necessitate ample customer data collection
will not be inclined to offer encryption services; therefore, their data would
remain visible to investigators. Same goes for cloud-based services, as
end-to-end encryption is currently impractical for any cloud-based features
that require access to plaintext data, such as full text search.

The report
also notes that metadata—still an important investigative tool—remains
unencrypted and is likely to remain so in the future.

Paul
Ferguson, threat research advisor at Trend Micro,
told SCMagazine.com that
he largely agreedwith the report's premise. “The
technology behind a lot of new and emerging services are not built around
privacy or security, so it leaves a lot of wiggle room for an adversary to get
access to sensitive information, whether that is browsing history, cell phone call detail records, ISP logs, etc.,” said
Ferguson. In this instance, the adversary would be a domestic intelligence
agency, though it could equally refer to cybercriminals or nation-state actors.

Merritt Maxim, senior analyst at Forrester Research, was
less convinced that IoT devices and networked sensors currently constitute a
viable channel for digital surveillance. “It's a possibility, but the [IoT]
market is still emerging. There are no standards for exchanging or sharing data,”
said Maxim. “As the market matures, and interfaces and data exchange become
more standardized, it might be easier to gather data from sensors.”

Techscape is SC Media’s content marketing platform. Industry experts share their views in the following categories

Partner Content is sponsored content brought to you by a vendor

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.